Split-horizon DNS
In computer networking, split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request.
This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain, e.g., company) and access from an unsecure, public network (e.g. the Internet).
Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.
Split-Horizon DNS and DNSSEC
Split-horizon DNS is designed to provide different authoritative answers to an identical query and DNSSEC is used to ensure veracity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.[1]
Use Case
One common use case for Split-horizon DNS is when a server is located internally, but has NAT'ed access from the outside. By using split-horizon DNS the server can be accessed by the same URL no matter which side of the Network the device is being accessed from. This allows for a single DNS server to correctly provide the necessary information for a given URL independent of the user's network location.
Internal View:
@ IN SOA ns.example.net admin.example.net. ( 2010010101 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS ns.example.net. ns IN A 10.0.0.2 example.net. IN A 10.0.0.1 host1.example.net. IN A 10.0.0.10 host2.example.net. IN A 10.0.0.20
External View:
@ IN SOA ns.example.net admin.example.net. ( 2010010101 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS ns.example.net. ns IN A 172.31.255.11 example.net. IN A 172.31.255.1 host1.example.net. IN A 172.31.255.10 host2.example.net. IN A 172.31.255.20
See also
References
- Providing "split horizon" DNS service.
- BIND 9 Configure Views To Partition External and Internal DNS Information.
- Providing "split horizon" DNS service on OS X Server systems (as of OS X Server version 10.6.2).
- Detailed How-to on DNS Views on Bind 9.